How To Solve Issues Related to Log – Failed to index audit message from queue

Prevent Your Next ELK Incident

Try our free Check Up to test if your ES issues are caused from misconfigured settings

Prevent Issue

Updated: Jan-20

In-Page Navigation (click to jump) :

Opster Offer’s World-Class Elasticsearch Expertise In One Powerful Product
Try Our Free ES Check-Up   Prevent Incident

Troubleshooting background

To troubleshoot Elasticsearch log “Failed to index audit message from queue” it’s important to understand common problems related to Elasticsearch concepts: index, plugin, queue. See detailed explanations below complete with common problems, examples and useful tips.

Index in Elasticsearch

What it is

In Elasticsearch, an index (indices in plural) can be thought of as a table inside a database that has a schema and can have one or more shards and replicas. An Elasticsearch index is divided into shards and each shard is an instance of a Lucene index.

Indices are used to store the documents in dedicated data structures corresponding to the data type of fields. For example, text fields are stored inside an inverted index whereas numeric and geo fields are stored inside BKD trees.

Examples
Create Index

The following example is based on Elasticsearch version 5.x onwards. An index with two shards, each having one replica will be created with the name test_index1

PUT /test_index1?pretty
{
    "settings" : {
        "number_of_shards" : 2,
        "number_of_replicas" : 1
    },
    "mappings" : {
        "properties" : {
            "tags" : { "type" : "keyword" },
            "updated_at" : { "type" : "date" }
        }
    }
}
List Indices

All the index names and their basic information can be retrieved using the following command:

GET _cat/indices?v
Index a document

Let’s add a document in the index with below command:

PUT test_index1/_doc/1
{
  "tags": [
    "opster",
    "elasticsearch"
  ],
  "date": "01-01-2020"
}
Query an index
GET test_index1/_search
{
  "query": {
    "match_all": {}
  }
}
Query Multiple Indices

It is possible to search multiple indices with a single request. If it is a raw HTTP request, Index names should be sent in comma-separated format, as shown in the example below, and in the case of a query via a programming language client such as python or Java, index names are to be sent in a list format.

GET test_index1,test_index2/_search
Delete Indices
DELETE test_index1
Common Problems
  • It is good practice to define the settings and mapping of an Index wherever possible because if this is not done, Elasticsearch tries to automatically guess the data type of fields at the time of indexing. This automatic process may have disadvantages, such as mapping conflicts, duplicate data and incorrect data types being set in the index. If the fields are not known in advance, it’s better to use dynamic index templates.
  • Elasticsearch supports wildcard patterns in Index names, which sometimes aids with querying multiple indices, but can also be very destructive too. For example, It is possible to delete all the indices in a single command using the following commands:
DELETE /*

To disable this, you can add the following lines in the elasticsearch.yml:

action.destructive_requires_name: true

Plugin in Elasticsearch

What it is

A plugin is used to enhance the core functionalities of Elasticsearch. Elasticsearch provides some core plugins as a part of their release installation. In addition to those core plugins, it is possible to write your own custom plugins as well. There are several community plugins available on GitHub for various use cases.

Examples:
  • Get all the instructions for the plugin usage
sudo bin/elasticsearch-plugin -h
  • Installing S3 plugin using URL for storing Elasticsearch snapshots on S3
sudo bin/elasticsearch-plugin install repository-s3
  • Removing a plugin
sudo bin/elasticsearch-plugin remove repository-s3
  • Installing a plugin using the file path
sudo bin/elasticsearch-plugin install file:///path/to/plugin.zip

Notes:
  • Plugins are installed and removed using the elasticsearch-plugin script, which ships as a part of Elasticsearch installation and can be found inside the bin/ directory of the Elasticsearch installation path.
  • A plugin has to be installed on every node of the cluster and each of the nodes has to be restarted to make the plugin visible.
  • You can also download the plugin manually and then install it using the elasticsearch-plugin install command, providing the file name/path of the plugin’s source file.
  • When a plugin is removed, you will need to restart every elasticsearch node in order to complete the removal process.

Common Problems:
  • Managing permission issues during and after plugin installation is the most common problem. If Elasticsearch was installed using the deb or rpm package then the plugin has to be installed using the root user, or else you can install the plugin as the user that owns all of the Elasticsearch files.
  • In case of deb or rpm package installation, it is important to check the permission of the plugins directory after plugin installation and update the permission if it has been modified using the following command:
chown -R elasticsearch:elasticsearch path_to_plugin_directory 
  • If your Elasticsearch nodes are running in a private subnet without internet access, you cannot install a plugin directly. In this case, you can simply download the plugins at once and copy the files inside the plugins directory of the Elasticsearch installation path on every node. The node has to be restarted in this case as well.

Queue in Elasticsearch


The queue term in Elasticsearch is used in the context of Thread Pools. Each node of the Elasticsearch cluster holds various thread pools to manage the memory consumption on that node for different types of requests. The queues come up with initial default limits as per node size but can be modified dynamically using _settings REST endpoint.

What it is used for

Queues are used to hold the pending requests for the corresponding thread pool instead of requests being rejected. For example, if there are too many search requests coming on the node which can not be processed at the same time, the requests are sent to the search thread pool queue.

Examples

Monitoring the thread pools using _cat API:

GET /_cat/thread_pool?v

Get details about each thread pool, including current current size:

GET /_nodes/thread_pool

Notes
  • Thread pool queues are one of the most important stats to monitor in Elasticsearch as they have a direct impact on the cluster performance and may halt the indexing and search requests.
  • The specific thread pool queue size can be changed using its type-specific parameters.
  • It is possible to update thread pool queue size dynamically using cluster setting API in version 2.x.
  • From Elasticsearch version 5.x onward, it is not possible to update the thread pool settings  dynamically via the cluster setting API. Rather, it is a node level setting and it must be configured inside elasticsearch.yml on each node and a node restart is required after the updates.

Common Problems
  • The most common problem that arises in Elasticsearch related to queues is EsRejectedExecutionException that occurs when queues are full and Elasticsearch nodes cannot keep up with the speed of the requests. This may lead to nodes not responding as well. To deal with this issue, thread pools need continuous monitoring and based on thread pool queue utilization, you may need to review and control the indexing/search requests or increase the resources of the cluster.
  • In case of bulk indexing queue rejection, increasing the size of the queue may cause the node to keep more data in memory, which may cause requests taking longer to complete and more heap space to be consumed. As a result you may face impact on cluster performance and stability.

To help troubleshoot related issues we have gathered selected Q&A from the community and issues from Github , please review the following for further information :

1 Why GCP Pub 0.59 K 

2Index Audit Output  


Log Context

Log ”Failed to index audit message from queue” classname is IndexAuditTrail.java
We have extracted the following from Elasticsearch source code to get an in-depth context :

                     logger.debug("index audit queue consumer interrupted"; e);
                    close();
                    break;
                } catch (Exception e) {
                    // log the exception and keep going
                    logger.warn("failed to index audit message from queue"; e);
                }
            }
            eventQueue.clear();
        }







About Opster

Opster identifies and predicts root causes of Elasticsearch problems, provides recommendations and can automatically perform various actions to prevent issues, optimize performance and save resources.

Learn more: Glossary | Blog| Troubleshooting guides | Error Repository

Need help with any Elasticsearch issue ? Contact Opster